Analysis Overview
SHA256
a6960926d530880cde47a08146cb733b1b69fad3cd30b8af4d7afa999254e3c0
Threat Level: Known bad
The file 9.exe was found to be: Known bad.
Malicious Activity Summary
Echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-13 14:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-13 14:54
Reported
2021-08-13 14:57
Platform
win7v20210410
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9.exe
"C:\Users\Admin\AppData\Local\Temp\9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.247.117:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | f0554721.xsph.ru | udp |
| N/A | 141.8.193.236:80 | f0554721.xsph.ru | tcp |
Files
memory/1056-60-0x0000000000C10000-0x0000000000C11000-memory.dmp
memory/1056-62-0x0000000002120000-0x0000000002191000-memory.dmp
memory/1056-63-0x000000001AE70000-0x000000001AE72000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-13 14:54
Reported
2021-08-13 14:57
Platform
win10v20210408
Max time kernel
23s
Max time network
123s
Command Line
Signatures
Echelon
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9.exe
"C:\Users\Admin\AppData\Local\Temp\9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.245.108:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | f0554721.xsph.ru | udp |
| N/A | 141.8.193.236:80 | f0554721.xsph.ru | tcp |
Files
memory/764-114-0x00000215093A0000-0x00000215093A1000-memory.dmp
memory/764-116-0x0000021523960000-0x00000215239D1000-memory.dmp
memory/764-117-0x00000215097B0000-0x00000215097B2000-memory.dmp